« Oatmeal

In reply to: spectre and the end of langsec -- wingolog

The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs.

Continuing…

But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a safe” language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser’s password manager, or bitcoin wallets.

Post a response on your own site? Send me a webmention!